Researchers uncover privacy hazards in cellphones bought at police auctions

Law enforcement agencies across the country routinely sell items that are seized in criminal investigations or reclaimed from lost-and-found stores. Many of these items—vehicles, jewelry, watches and electronic equipment like cellphones—end up on online auction houses.

Those looking for a bargain can bid on cellphones in bulk and buy dozens of cellphones at extremely low prices for parts or other uses. It ultimately provides revenue for the police agencies, making a great deal out of it for everyone involved. or is it?

A recent study by security experts at the University of Maryland found that many phones sold at police property auction houses do not have personal data properly erased. A two-year study with cellphones purchased from America’s largest police auction house revealed a lot of personal information on previous owners that was readily available.

Of the 228 phones that the UMD team successfully bid on, 61 (27%) contained personal data such as social security numbers, credit card and banking information, passport data, driver’s license photos, and more.

“We were really surprised at the level of personal information and the ease of access to it,” said Dave Levine, associate professor of computer science who led the UMD team.

Levine, a core faculty member at the University of Maryland Cyber ​​Security Center, first became interested in the topic through a casual conversation with a colleague. After determining that there was a lapse in security—whether due to police not wiping the phones, or auction houses not taking proper security measures before shipping the items to the highest bidder—Levin and several of his graduate students began to investigate the problem. Set out to find out the scale.

The first step was to work closely with university legal counsel and the Institutional Research Review Board to determine the appropriate protocols needed to view any personal data.

Julio Poveda said, “There were strict guidelines in place — how every phone call we received was cataloged, what procedures we used to access the phones, and most importantly, if we had any reports of child abuse.” What will we have to do legally if we get evidence.” , second year Computer Science Ph.D. student who was part of the research team.

The UMD team found no evidence of child abuse, but uncovered other information that was inappropriate for public dissemination, such as depictions of adult nudity and drug use.

Levine found the discovery that some of the phones he accessed had been used in criminal activities such as identity theft.

“It’s as if people who were victims of identity theft are being ‘victimized again’ by making their personal information available again for anyone to see,” he explained.

The UMD team determined that some of the phones had been used by sex workers, with text messages between the workers and their clients still intact.

Sixth Year Computer Science Ph.D. Richard Roberts said, “It’s important to remember that your phone doesn’t just contain your data, it contains the data of anyone you communicate with.” student and lead author of the study.

Roberts, who presented the team’s academic work IEEE Symposium On
security and privacy Earlier this year, it said that of the 61 phones researchers used, they determined that more than 7,000 people had had some form of digital contact.

Levine, Poveda, and Roberts are all security experts, but they decided not to use any sort of sophisticated digital forensics for their study. “We wanted to try to get access to any cellphone data using techniques that someone on the street might use,” Roberts said.

The researchers were surprised by how easy it was. One of these phones arrived in plain view with a sticky note attached to it with the phone’s passcode, a leftover note from the original police agency that had already legally hacked the phone. Many other phones had PIN or passcode patterns that were easy to guess.

“Sadly, passcodes like 1-2-3-4 are still in common use today,” Levine said.

Last October, researchers visited the auction house where they bought the phones. The company—PropertyRoom.com, which bills itself as the largest police auction house in the U.S. working with more than 4,400 law enforcement agencies—promised to investigate the problem. Shortly thereafter, the company briefly stopped selling the phone in large numbers, then resumed, prompting the researchers to purchase another batch.

“We found that PropertyRoom had begun erasing the phone but failed to erase the phone’s (Secure Digital) card, which in many cases contained a partial backup of the phone’s contents,” Levine said.

After pinging the company again to inform it of this oversight, the UMD researchers received no further response.

A subsequent investigative report by a local television station prompted the company to publish a message on its website, saying it was aware of the safety concerns and was taking corrective steps.

From a security perspective, Levine said, police agencies should avoid auctioning off used cellphones. “Just destroy them,” he said. “(Police agencies) don’t get that much money in return, and the potential damages far outweigh any financial incentives.”

He also suggested that people should take better precautions in case their phone is lost or stolen and resold.

“Use your phone under the assumption that someone else may later become its legal owner,” Levine said. “Set a passcode that’s hard to guess, minimize personal information that’s easy to access, and remotely wipe your phone if it’s lost or stolen. Otherwise, our study shows How easy it is for someone to get access to an incredible amount of your personal information.”